Arctic Fortress Protocol

No warranty. Use at your own risk.

As an individual your Bitcoin wallet security setup must allow for daily use but be resistant to violence and hacks. It must satisfy paranoid experts and provide an inheritance for novices.

This protocol describes a holistic system involving four(4) wallets each with increasing degrees of security. This system actually increases in security over time because of practice, redundancy and honeypots[1].

Peter walks you through the protocol

Optional: read Cryptoasset Inheritance Planning by Pamela Morgan[2].

After you finish setting up this four level wallet system, you should document your setup for your heirs using the template in Appendix A.

This security model applies to everyone (individuals not corporations). Also, we are optimizing for reducing human error and increasing recoverability over privacy. Additional privacy can be obtained by running your own Electrum protocol server[3].

We are trusting Bluewallet[4] and popular smartphones brands (Android or iPhone). Bluewallet is an open source mobile Bitcoin-only wallet.

Prerequisites:

  • 2 brand new phones[5].
  • 6 cryptosteel capsules[6].
  • 2 physical addresses for hiding items where you live and work[7].
  • 2 physical addresses for hiding items where a family member lives and at a bank safety deposit box[8].
  • Optional: 2 faraday bags[9].

Level 1: A Lightning wallet for spending

New and old Bitcoiners need a Lightning wallet to receive their first sats or spend their long awaited gains. I recommend a custodial Lightning wallet that's available in your jurisdiction. A custodial Lightning wallet will compete with cash, tap, pin and swipe at the checkout counter. You will follow the backup instructions for the Lightning wallet you've chosen. Typically, this will be registering your phone number and/or email address. If you are asked to write down any passwords, PINs or codes then put this on paper and store it at home in a hidden place (and in a digital password manager if you have one). This Lightning wallet should be installed on your daily use phone. You should now put a PIN, pattern, fingerprint or facial recognition lock on your phone (not on the wallet). This will encrypt your phone and keep it safe from passive theft when it's locked.

Level 2: A layer 1 Bitcoin wallet for savings

Properly saving your Bitcoin requires knowledge, confidence and honeypots. I recommend Bluewallet for your daily use phone. Before we get to cold storage we need a layer 1 hot wallet to move funds to/from our Lightning wallet or Bitcoin exchanges, and later to our cold storage.

  • Install Bluewallet by going to bluewallet.io and choosing the appropriate app store. Launch the app.
  • Tap on Add Wallet. Select the defaults and write down the 12-word backup phrase (aka seed) on a piece of paper. Beside each word put the number because the order of these words cannot be changed. Later, if you need to restore this wallet, when inputting the backup phrase you must leave a single space between each word but not at the end of the last word.
  • Now take your a cryptosteel capsule C1 and backup this 12-word phrase onto steel. Use the full length for each word and not just the first 4-characters of each word.
  • Hide the cryptosteel capsule in your home. If you don't know where to hide it then buy a book about "how to hide things". Because we will be hiding several things at home we will call this hidden spot H1, so we can refer to it later.

Seasoned Bitcoiners only (new users must skip): to sleep better about the quality of your random number (aka your backup phrase or seed) you should roll a die to generate your wallet and this will give you a 24-word backup phrase. In this case only backup the first 4-characters of each word onto your steel capsule. Also, you can use your own Electrum server with Bluewallet to gain additional privacy. You can configure that in the settings. Setting up an Electrum server is out of scope for this tutorial.

You've now become financially sovereign. You have some Bitcoin on the base layer. You've received Satoshi's gift.

Watch out for malware that swaps the Bitcoin address or Lightning invoice from your mobile clipboard. This is the most common threat when using mobile hot wallets. Always check the last few characters of an address/invoice.

Level 3: Cold Storage. Bluewallet on a brand new phone

For cold storage you will use a brand new phone (Android or iPhone).

  • Install Bluewallet by going to bluewallet.io and selecting the appropriate app store for your phone. Launch the app.
  • Tap on Add Wallet. Select the defaults. Tap Create.
  • Write down the 12-word backup phrase on a piece of paper. Beside each word put the number because the order of these words cannot be changed.
  • Now take your a cryptosteel capsule C2 and backup this 12-word phrase onto steel. Use the full length for each word and not just the first 4-characters of each word.
  • Hide the cryptosteel at home in hide spot H1.
  • Hide the phone at home in hide spot H2 away from the cryptosteel capsule C2.

The Seasoned Bitcoiners only section from level-2 applies here as well.

Using a phone as a cold storage device goes against some conventional wisdom. However, Bitcoiners like Peter Todd[10] have advocated for a phone approach and Paul Storcz[11] for a laptop approach both agreeing you shouldn't use a HWW. I've documented a full defense of using a dedicated phone over a hardware wallet in Appendix B.

Level 4: 2-of-2 multisig with Bluewallet

You're now prepared, knowledgeable and practiced enough to finish your ArcticFortress. You are going to create a 2-of-2 multisig Vault using two phones, each phone having its own Bluewallet app. Since there are two 12-word seeds and two brand new phones. We will refer to them as seed A (L4SA) used with phone A and seed B (L4SB) used with phone B. Phone A is the same phone you used above with your level-3 cold storage. Phone B is the second brand new phone that will store seed B.

Let's break this setup into four parts.

Part 1

  • In the Bluewallet app on phone A go to Settings (...) then tap General then turn on Advanced Mode.
  • Go back to the main screen and tap add a wallet. Select Vault. Tap Create.
  • Change the Vault settings to 2 of 2. Select best practice (p2wsh). Tap Done. Tap Let's start.
  • Vault Key 1 is Seed A which you will generate by tapping Create New. Write down the 12-word seed on a piece of paper. Beside each word, put the number because the order of these words cannot be changed.
  • Now take a cryptosteel capsule (C3) and backup this 12-word phrase onto steel. Use the full length for each word and not just the first 4-characters of each word.
  • If you don't have enough hide spots at home you can also hide the seed A capsule in H1 (where you hid the capsule for your level-3 wallet).
  • You should also make a second copy of the cryptosteel capsule for seed A (C4) and put it in a locker/safe at your work/office if you have this privilege. We will call this hide spot H3.

We need to keep phone A and B together during the setup for convenience.

Part 2

  • In the Bluewallet app on phone B go to Settings (...) then tap General then turn on Advanced Mode.
  • Go back to the main screen and tap add a wallet. Select Vault. Tap Create.
  • Change the Vault settings to 2 of 2. Select best practice (p2wsh).
  • Vault Key 1 xpub on phone B must be imported from phone A. On phone A display the xpub QR code of Vault Key 1 by tapping Share.
  • On phone B tap import and scan the QR code from phone A (not the seed QR but the xpub QR). If QR scanning fails use sharing the downloadable file.
  • Now on phone B for Vault Key 2 tap Create New and generate seed B. Write down the 12-word seed B on a piece of paper. Beside each word put the number because the order of these words cannot be changed.
  • Now take a cryptosteel capsule (C5) and backup this 12-word phrase onto steel. Use the full length for each word and not just the first 4-characters of each word.
  • Put cryptosteel capsule C5 in a bank safety deposit box we will call this hide spot H4.
  • Make a second copy of the cryptosteel capsule for seed B (C6). So that you have two copies of seed B on steel.
  • Give family member F1 the cryptosteel capsule C6 for seed B. We call this hide spot F1.

Part 3

  • On phone B show the xpub QR code for Vault Key 2 by tapping Share.
  • On phone A scan the QR code from phone B.
  • Now finish creating the vault on both phone A and phone B by tapping Create on each phone.
  • To check everything works you should do two things. First, go to receive in both wallets and make sure the first receiving address in each wallet matches.
  • Second, go to manage keys inside both wallets and make sure phone A only has seed A and xpub B. And that phone B only has xpub A and seed B. When the seed is present it will have a grey button which says “Forget this seed and use the XPUB instead”. When the Xpub/Zpub is present it will say “I have a seed for this key”.

Part 4

  • Now hide phone A back in hide spot H2.
  • Phone B you will give to family member F1 who lives in a different household than you and instruct them to hide it somewhere safe in their home and keep it powered down.
  • Now send a small test amount of BTC to this 2-of-2 wallet and get comfortable receiving then successfully sending BTC out of the wallet before you put a large amount on this wallet.

Congratulations! You now have an ArcticFortress. Remember to complete the inheritance template in Appendix A.

For Seasoned Bitcoiners only: You can over time harden your setup from catastrophic loss by making redundant backups of your level-4 seeds. I've called this protocol ArcticFortress in homage to Supermans' lair. Let's use a Superman analogy. Seed A and all its copies are your Superman seeds. Seed B and all its copies are Kryptonite seeds. Keep the Kryptonite away from Superman. Only give away to family or the bank/bullion vault your Kryptonite seeds. Superman seeds should be something you can access at home/work on any given day. Kryptonite seeds should be in a vault or a family member's home that's away from your home. Kryptonite is dangerous to Superman so you should always get to the Kryptonite in a way that someone can call the police if you are under duress. With that in mind, Seed A can additionally be stored in a password manager that has a remote/cloud backup if you understand the risks and how to manage the recovery of your password manager. Seed B can be copied onto additional cryptosteel capsules distributed to additional family members that have their own separate dwelling.

In Appendix D we discuss how this setup responds to the six(6) Fenton Tests. In Appendix E we discuss the pitfalls of 2-of-3 and 3-of-5 multisig setups.

Finally, let's summarize our hiding spots and what is hidden there.

H1 - at home hiding spot for your:
  • level-2 cryptosteel capsule C1
  • level-3 cryptosteel capsule C2
  • level-4 seed A cryptosteel capsule C3 (Superman seed)
H2 - at home hiding spot for your:
  • level-3 phone / level-4 phone A (Superman phone)
H3- office safe/work locker
  • level-4 seed A cryptosteel capsule C4 (Superman seed)
H4 - bank safety deposit box
  • level-4 seed B cryptosteel capsule C5 (Kryptonite seed)
F1 - a family member's home
  • level-4 phone B (Kryptonite phone)
  • level-4 seed B cryptosteel capsule C6 (Kryptonite seed)